Loading…
Come join us for the first annual conference! We’ve hand selected a group of industry leaders to share their experiences in the lovely setting of Kailua Kona, HI.

Read more at:  https://locomocosec.com

Early bird tickets are for sale. Buy now! 

Training passes (which include a conference ticket) are also available. Buy now!

Looking to sponsor? See our sponsor package!
View analytic

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Tuesday, April 3
 

9:00am

Advanced Website Hacking
More and more web applications delegate business logic to the client. HTML.next, JavaScript, SVG, Canvas, ES2017 & AngularJS are just some terms that describe the contents of the modern web stack. But how does the attack surface look for those? What if there’s not GET parameters anymore that our scanner scan tamper with? Classic web-pentests are “so nineties” in this realm. And keeping up the pace with progress is getting harder and harder.

But there is hope. We’ll learn how to attack any web-application with either unknown legacy features – or the half-baked results coming to your browser from the labs of W3C, WHATWG and the ES2017 mailing lists. Whether you want to attack modern web applications or shiny browser extensions – we have that covered.

HTML is a living standard. And so is this workshop. The course material will be provided on-site and via access to a private Github repository so all attendees will be receive updated material even months after the actual training.

Trainers
avatar for Dr.-Ing. Mario Heiderich

Dr.-Ing. Mario Heiderich

Founder, cure53.de
Buy your ticket today! | | Dr.-Ing. Mario Heiderich, handsome heart-breaker, bon-vivant and (as he loves to call himself) "security researcher" is from Berlin, likes everything between lesser- and greater-than and leads a small yet exquisite pen-test company. He commonly pesters... Read More →


Tuesday April 3, 2018 9:00am - 5:00pm
Hualalai Room

9:00am

AppSec Automation: Pipelines, APIs and Getting Things Done Faster
Note: This is a two day, hands-on course
You’ve probably heard many talks about DevSecOps and continuous security testing but how many provided the tools and training needed to actually start that testing?  This training does exactly that.  It provides the tools you’ll need to take you from testing to reporting to remediation and retesting with the help of automation.  Utilizing multiple open source tools including OWASP’s AppSec Pipeline and Defect Dojo, the training will provide an overview of key application security automation principles and provide hands-on experience with creating an Application Security Pipeline augmented with automation. Over the course of two days, the students will cover the crucial aspects of where and when to add automation to their application security programs and gain experience with integrating APIs,conducting continuous testing, ChatOps integration (Slack), get techniques to  automate commercial scanners, how to consolidate and de-dup security issues, automating submission of issues to defect trackers and generating reports/metrics. Students should leave with a firm understanding of how to apply DevOps and Agile concepts to optimize their security programs using local or cloud infrastructure.  The techniques in this training have been used at real-world companies at scale and shown an increase in the AppSec team output of a 5x increase year over year, and a 9.4x increase over two years.  With an AppSec Pipeline, you don’t have to dread hearing about that release that’s happening tomorrow.

The labs consist of a series of exercises which build upon each other to construct an AppSec Pipeline specifically geared towards continuous testing. After discussing each fundamental part of the pipeline, the student will be provided a lab to construct that portion of their own AppSec Pipeline. While these will be somewhat scripted labs, they will provide working examples of all the key concepts needed in adding automation to an AppSec program allowing the student to have seen the concepts in action before returning to work and applying them to their specific situation.  New implementations of OWASP’s AppSec Pipeline are being released as part of this training so be the first to use the next generation of testing automation.
Who Should Take This Course?
AppSec professionals who are part of an internal AppSec program or anyone needing to automate security assessment work.  This course is designed to demonstrate both the principals in theory and practice around the creation of an AppSec Pipeline, the benefits it brings and how it can help you do more with less. Multiple open source software packages and OWASP projects will be used to setup an example AppSec Pipeline in a series of hands on labs. The concepts and techniques of this course can then be applied to their AppSec programs to build their own, custom AppSec Pipeline.  Additionally, those conducting penetration tests or running a team of testers could also gain valuable insight into how to speed up their work and remove some of the drudgery from pen testing.
What Should Students Bring?
A 64 bit laptop capable of running Docker. Custom Dockers will be provided to the students which contains all the necessary software for the labs.

Trainers
avatar for Matt Tesauro

Matt Tesauro

Senior AppSec Engineer, Duo Security
Matt Tesauro is currently a Senior AppSec Engineer building an AppSec Pipeline and continuous security program for Duo Security.  Prior, he worked full-time for the OWASP Foundation, adding automation and awesome to OWASP projects as the Operations Director. Previously, he wa... Read More →


Tuesday April 3, 2018 9:00am - 5:00pm
Mauna Kea Room
 
Wednesday, April 4
 

9:00am

Advanced Website Hacking
More and more web applications delegate business logic to the client. HTML.next, JavaScript, SVG, Canvas, ES2017 & AngularJS are just some terms that describe the contents of the modern web stack. But how does the attack surface look for those? What if there’s not GET parameters anymore that our scanner scan tamper with? Classic web-pentests are “so nineties” in this realm. And keeping up the pace with progress is getting harder and harder. 

But there is hope. We’ll learn how to attack any web-application with either unknown legacy features – or the half-baked results coming to your browser from the labs of W3C, WHATWG and the ES2017 mailing lists. Whether you want to attack modern web applications or shiny browser extensions – we have that covered. 

HTML is a living standard. And so is this workshop. The course material will be provided on-site and via access to a private Github repository so all attendees will be receive updated material even months after the actual training.

Trainers
avatar for Dr.-Ing. Mario Heiderich

Dr.-Ing. Mario Heiderich

Founder, cure53.de
Buy your ticket today! | | Dr.-Ing. Mario Heiderich, handsome heart-breaker, bon-vivant and (as he loves to call himself) "security researcher" is from Berlin, likes everything between lesser- and greater-than and leads a small yet exquisite pen-test company. He commonly pesters... Read More →


Wednesday April 4, 2018 9:00am - 5:00pm
Hualalai Room

9:00am

AppSec Automation: Pipelines, APIs and Getting Things Done Faster
Note: This is a two day, hands-on course
You’ve probably heard many talks about DevSecOps and continuous security testing but how many provided the tools and training needed to actually start that testing?  This training does exactly that.  It provides the tools you’ll need to take you from testing to reporting to remediation and retesting with the help of automation.  Utilizing multiple open source tools including OWASP’s AppSec Pipeline and Defect Dojo, the training will provide an overview of key application security automation principles and provide hands-on experience with creating an Application Security Pipeline augmented with automation. Over the course of two days, the students will cover the crucial aspects of where and when to add automation to their application security programs and gain experience with integrating APIs,conducting continuous testing, ChatOps integration (Slack), get techniques to  automate commercial scanners, how to consolidate and de-dup security issues, automating submission of issues to defect trackers and generating reports/metrics. Students should leave with a firm understanding of how to apply DevOps and Agile concepts to optimize their security programs using local or cloud infrastructure.  The techniques in this training have been used at real-world companies at scale and shown an increase in the AppSec team output of a 5x increase year over year, and a 9.4x increase over two years.  With an AppSec Pipeline, you don’t have to dread hearing about that release that’s happening tomorrow.

The labs consist of a series of exercises which build upon each other to construct an AppSec Pipeline specifically geared towards continuous testing. After discussing each fundamental part of the pipeline, the student will be provided a lab to construct that portion of their own AppSec Pipeline. While these will be somewhat scripted labs, they will provide working examples of all the key concepts needed in adding automation to an AppSec program allowing the student to have seen the concepts in action before returning to work and applying them to their specific situation.  New implementations of OWASP’s AppSec Pipeline are being released as part of this training so be the first to use the next generation of testing automation.
Who Should Take This Course?
AppSec professionals who are part of an internal AppSec program or anyone needing to automate security assessment work.  This course is designed to demonstrate both the principals in theory and practice around the creation of an AppSec Pipeline, the benefits it brings and how it can help you do more with less. Multiple open source software packages and OWASP projects will be used to setup an example AppSec Pipeline in a series of hands on labs. The concepts and techniques of this course can then be applied to their AppSec programs to build their own, custom AppSec Pipeline.  Additionally, those conducting penetration tests or running a team of testers could also gain valuable insight into how to speed up their work and remove some of the drudgery from pen testing.
What Should Students Bring?
A 64 bit laptop capable of running Docker. Custom Dockers will be provided to the students which contains all the necessary software for the labs.

Trainers
avatar for Matt Tesauro

Matt Tesauro

Senior AppSec Engineer, Duo Security
Matt Tesauro is currently a Senior AppSec Engineer building an AppSec Pipeline and continuous security program for Duo Security.  Prior, he worked full-time for the OWASP Foundation, adding automation and awesome to OWASP projects as the Operations Director. Previously, he wa... Read More →


Wednesday April 4, 2018 9:00am - 5:00pm
Mauna Kea Room

6:00pm

Reception: Sunset on Keauhou Bay
Spend some time networking while watching the sun set over Keauhou Bay.

Wednesday April 4, 2018 6:00pm - 8:00pm
 
Thursday, April 5
 

9:00am

I’m Pwned. You’re Pwned. We’re All Pwned.
Face it – it’s going to happen. It’s going to happen to you, it’s going to happen to your company and it’s definitely happened to me! Security incidents are now just a part of normal everyday online life and we need to adapt to the new reality.
 
In this talk, we’ll look at how security is changing and the things we can do to evolve our approaches in the era of the data breach. You’ll see many of the common attacks organisations are falling victim to today, how our attitudes towards passwords are changing, how to get responsible disclosure right (both as an individual and an organisation) and get a look inside some of the more modern security defences our browsers offer us today.
 
This talk is a mix of real world events, practical coding and face-palmingly painful security examples.

Speakers
avatar for Troy Hunt

Troy Hunt

Buy your ticket today! | | Troy is a Microsoft Regional Director and MVP, Pluralsight author and world-renowned internet security specialist. He spends his time teaching developers how to break into their own systems before helping to piece them back together to be secure agains... Read More →


Thursday April 5, 2018 9:00am - 9:40am

9:40am

Quick Break
Thursday April 5, 2018 9:40am - 9:50am
TBA

9:50am

How I learnt to play in the (CSP) Sandbox
The typical way to isolate untrusted components on the web is to run them in an isolated domain. While very secure, "untrustedsite.com" is not the best place to host a lot of content like help center, forums, marketing pages. It looks bad and has a bunch of administrative overhead. Instead, an alternative is to use the CSP sandbox directive to isolate untrusted components in the "null" origin but still serve them from your main site. This is a lot easier to deploy and provides a powerful mitigation. This talk will cover how we deployed a CMS on www.dropbox.com without increasing our XSS risk; some interesting corner cases to think about; and a discussion on upcoming primitives like Suborigins that will make all of this a lot easier.

Speakers
avatar for Devdatta Akhawe

Devdatta Akhawe

Engineering Manager, Product Safety, Dropbox
Buy your ticket today! | | Devdatta leads the Product Security team at Dropbox. Before that, he received a PhD in Computer Science from UC Berkeley. His graduate research focused on browser and web application security, during which time he also collaborated with the Firefox and Chrome teams.  He is a co-author of award-winning papers on security at top academic conferences and has also spoken at Blackhat, AppSec Cali, etc. He is also a co-editor on the Sub Resource Integrity and Sub Origins specifications at the W3C. More info about him (including how to pronounce his name) is at... Read More →


Thursday April 5, 2018 9:50am - 10:30am

10:30am

Coffee and snacks!
Snacks, coffee, beverages

Thursday April 5, 2018 10:30am - 11:00am

11:00am

Starting, growing, and scaling your host intrusion detection efforts
Osquery is a lightweight host intrusion detection tool that organizations can use to monitor extremely large production environments as well as smaller corporate environments. In this talk, we will discuss how to get started with osquery and how the way that you manage osquery may change as your organization and objectives evolve. Starting small with an initial PoC, it's important to exhibit a full detection pipeline as quickly and simply as possible. Over time, as you instrument more environments at your organization, the tools that are available for device configuration and communication will likely change. With many environments to monitor, we will be able to take advantage of more osquery features that allow us to succinctly and dynamically reason about attack surface based on system state. As we talk through this evolution, we will discuss proven strategies and common pitfalls.

Speakers
avatar for Mike Arpaia

Mike Arpaia

Co Founder and CTO, Kolide.co
Buy your ticket today! | | Mike Arpaia is the CTO and Co-Founder of Kolide and the original creator of osquery, which he created, open-sourced, and widely deployed while working at Facebook. While at Facebook, he then went on to lead the company's intrusion detection efforts, wh... Read More →


Thursday April 5, 2018 11:00am - 11:40am

11:40am

Lunch
Food!

Thursday April 5, 2018 11:40am - 1:00pm

1:00pm

Top Infosec Lessons Learned Researching And Co-Authoring The DevOps Handbook
Holy cow, I learned so much since The Phoenix Project came out in 2013.  In this talk, I will share my top learnings while co-authoring The DevOps Handbook with Jez Humble, Patrick Debois, and John Willis. I’ll talk about the latest findings from the State of DevOps Report, the true importance of deployment lead times, how DevOps truly transforms the lives of Dev and Ops and Infosec, what I learned about Conway’s Law, and how DevOps is a subset of dynamic learning organizations, of which Toyota is the most famous. This project was one of the most fun and rewarding adventures of my life, and I want to share some of my biggest a-ha moments!

Speakers
avatar for Gene Kim

Gene Kim

CTO, researcher and author
Buy your ticket today! | | Gene Kim is a multiple award-winning CTO, researcher and author.  He was founder and CTO of Tripwire for 13 years. He has written three books, including “The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win” and the newly-r... Read More →


Thursday April 5, 2018 1:00pm - 1:40pm
TBA

1:40pm

Quick Break
Thursday April 5, 2018 1:40pm - 1:50pm
TBA

1:50pm

XSS is dead. We just don't get it.
XSS is about twenty years old by now and appears to be alive and kicking. JavaScript alerts are still popping left and right and bug bounty programs are drowning in submissions.

But is XSS really still a problem of our time? Or is it just an undead foul-smelling zombie vulnerability from the dark ages of string concatenation that doesn't wanna perish because we are just too f**** stubborn?

This talk will be an hour-long rant (yes, swearwords, leave your kids at home), paired with a stroll through the history of XSS and related issues. We will go back into the year 1998 and see how it all started, how things developed, what we tried to do against it and how hard we failed every single time. We will also look at the future and predict what is about to happen next. Mostly nothing - but good to know, right?

We will not only look at our own failures but also see how the entire infrastructure and monetization of the web contributed to us being simply not capable or even just willing to fix XSS. And we might as well see if any of those behavioral and structural patterns can be compared to other human failures - and see if there is something we all can learn. Or, at least, agree that we knew it all along and are all on the same page.

Speakers
avatar for Dr.-Ing. Mario Heiderich

Dr.-Ing. Mario Heiderich

Founder, cure53.de
Buy your ticket today! | | Dr.-Ing. Mario Heiderich, handsome heart-breaker, bon-vivant and (as he loves to call himself) "security researcher" is from Berlin, likes everything between lesser- and greater-than and leads a small yet exquisite pen-test company. He commonly pesters... Read More →


Thursday April 5, 2018 1:50pm - 2:30pm

2:30pm

Coffee and snacks!
Snacks, coffee, beverages

Thursday April 5, 2018 2:30pm - 3:00pm

3:00pm

How to REACT to JavaScript Security Issues
According a StackOverflow survey, JavaScript is the most commonly used programming language on earth. JavaScript ecosystem is vast and complex. It includes JavaScript on the client-side, on the server-side, in mobile applications, and even in database engines. Today just the client-side JavaScript space offers over 50 frameworks. The amount of application logic that is executed in the browser is growing every year, which means the attack surface is growing as well. Which security issues are most common in JavaScript applications? Do new frameworks provide the security controls needed to protect the growing amount of client-side code? In this talk we will answer these questions and, as an example, we will look at one of the hottest JavaScript frameworks today – React. We will discuss its new features like components and server-side DOM rendering, analyze React’s security posture and demonstrate existing vulnerabilities.

Speakers
avatar for Ksenia Peguero

Ksenia Peguero

Sr. Research Lead, Synopsys
Buy your ticket today! | | Ksenia Dmitrieva-Peguero is a Principal Consultant within Synopsys’ Software Integrity Group. She has seven years of experience in application security and five years of software development experience. Ksenia is a subject matter expert in a variety... Read More →


Thursday April 5, 2018 3:00pm - 3:40pm

3:40pm

Quick Break
Thursday April 5, 2018 3:40pm - 3:50pm
TBA

3:50pm

How bots decide what you can buy and how much you'll pay
Everything you’ve been thinking is true, and it’s way more interesting than you thought. That’s because the highwaymen of today no longer hide in the shady corners of the Internet — they occupy major airlines and extort unsuspecting travellers (you!) by blocking competitive seats. They swoop in with millions of automated attacks that constantly reserve the most affordable seats on popular flights and force people to purchase more expensive airfares. This monopolizes the supply of tickets, while driving their demand to an astronomical profit. These attacks use payment redirections, like PayPal, and reserve seats indefinitely without ever needing to finalize the transaction. In a matter of seconds, every affordable fare can be tied up, preventing legitimate paying customers from being able to see, and book, these seats. And while all of this may sound extraordinary, it’s anything but uncommon in the ticketing industry – where rampant automation is big business for criminals and ticketers alike. This talk will cover a live demonstration of how bots exploit airline ticket sales and distribution; why ticketers knowingly offload their risk to criminals at your expense; what abuse cases already exist in other industries using the same methods; and a discussion on the future of human verification in the automation age.

Speakers
avatar for Kevin Gosschalk

Kevin Gosschalk

CEO / Founder, FunCaptcha
Buy your ticket today! | | Kevin Gosschalk is the CEO and Co-Founder of FunCaptcha, where he leads a team of people focused on telling computers and humans apart on the Internet. He gained early recognition for his work with the Institute of Health and Biomedical In... Read More →


Thursday April 5, 2018 3:50pm - 4:30pm

4:30pm

Quick Break
Thursday April 5, 2018 4:30pm - 4:40pm
TBA

4:40pm

Panel: TBD
Jeremiah sits down with a few panelists to discuss $topic

Speakers
avatar for Jeremiah Grossman

Jeremiah Grossman

Chief of Security Strategy, Sentinel One
Buy your ticket today! | | Founder of WhiteHat Security. World-Renowned Professional Hacker. Brazilian Jiu-Jitsu Black Belt. Published Author. Influential Blogger. Off-Road Race Driver. Jeremiah Grossman's career spans nearly 20 years and has lived a literal lifetime in computer... Read More →


Thursday April 5, 2018 4:40pm - 5:20pm
 
Friday, April 6
 

9:00am

The Trouble with URLs, and how Humans (Don't) Understand Site Identity
URLs are supposed to be useful in web browser UI to help users understand site identity, navigate around the web, and share interesting content. But are URLs accomplishing all of those tasks? Come hear research from the Chrome Security team about what URLs are useful for, and some ideas for browser UI that might better accomplish those tasks in the future.

Speakers
avatar for Emily Schechter

Emily Schechter

Product Manager for Chrome Security, Google
Emily Schechter is Product Manager for Chrome Security at Google, where she works on Chrome Security UX and HTTPS adoption on the web. She has previously worked on the Google Safe Browsing and Anti-Malvertising teams to keep Google and web users safe from online threats. Emily ha... Read More →


Friday April 6, 2018 9:00am - 9:40am
TBA

9:40am

Quick Break
Friday April 6, 2018 9:40am - 9:50am
TBA

9:50am

Beyond Bearer: Token Binding as the Foundation for a More Secure Web

The overwhelming majority of security tokens used today on the web are bearer tokens (e.g. HTTP cookies, OpenID Connect ID tokens, SAML assertions, OAuth tokens). Any party in possession of a bearer token is able to use it to gain access to the associated protected resources, which makes them a highly attractive target for attackers. Although there have been many efforts to provide better than bearer security, none have achieved widespread deployment success. Token Binding is a new IETF protocol that enables strong cryptographic defenses against the use of stolen security tokens and, with a novel approach and the backing of some very significant industry players, has the potential to find the success that’s been elusive to previous attempts. This session will provide an overview of how Token Binding works and its application to higher level protocols like OpenID Connect and OAuth. Some bad jokes and gratuitous photography will be included to take the edge off the otherwise very nerdy content.

Speakers
avatar for Brian Campbell

Brian Campbell

Distinguished Engineer, Ping Identity
Buy your ticket today! | | As a Distinguished Engineer for Ping Identity, Brian Campbell aspires to one day know what a Distinguished Engineer actually does for a living. In the meantime, he's tried to make himself useful with little things like designing and building much of Pi... Read More →


Friday April 6, 2018 9:50am - 10:30am

10:30am

Coffee and snacks!
Snacks, coffee, beverages

Friday April 6, 2018 10:30am - 11:00am

11:00am

The (Application) Patching Manifesto
Patching programs are a part of every organization; Patch-Tuesday rolls around and the IT staff tests and pushes out patches for Windows. Unfortunately, when it comes to application dependencies most organizations are woefully behind – yet the bad guys have been stepping up their game. This talk will cover why the problem exists and what organizations can do to improve. We will also discuss techniques to limit exposure between security patch release and deployment.

Speakers
avatar for Jeremy Long

Jeremy Long

Principal Engineer
Buy your ticket today! | | Jeremy Long is a principal engineer at a large financial institution. He specializes in securing the SDLC via secure coding training, security requirements and coding standards, tooling for early identification in build pipelines, etc. He has a deep un... Read More →


Friday April 6, 2018 11:00am - 11:40am

11:40am

Lunch
Food! Our signature dish to close things out.

Friday April 6, 2018 11:40am - 1:00pm

1:00pm

Identity and Access Management: Judgment Day
When you design identity and access management (IAM) systems, consider psychology and sociology in addition to computer security. The goal of this talk is to describe the human-computer interaction problems presented by IAM and three real-world patterns with open-source implementations for managing AWS IAM in an organization. The cloud is a powerful force that changes the way we defend against adversarial software. More of us are shipping more code, more often. We use IAM systems to communicate our expectations about our code’s behavior to the machines running it. Vague specifications and impedance mismatches between human biases and machine logic make this communication channel lossy. Without careful consideration, our software can be exploited to turn against us.

Speakers
avatar for Alex Smolen

Alex Smolen

Engineering Manager, Security and Infrastructure, Clever
Buy your ticket today! | | Alex is a security-focused software engineering manager at Clever. He cares about usable security, privacy by design, smooth music, and fresh coffee. Before joining Clever, Alex "defended the bird" at Twitter as the tech lead for the Account Security t... Read More →


Friday April 6, 2018 1:00pm - 1:40pm

1:40pm

Quick Break
Friday April 6, 2018 1:40pm - 1:50pm
TBA

1:50pm

Revocation is broken, here's how we're fixing it
The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of revocation.

Speakers
avatar for Scott Helme

Scott Helme

Scott Helme is a security researcher, consultant and international speaker. He can often be found talking about web security and performance online and helping organisations better deploy both. Founder of report-uri.io, a free security reporting service, and securityheaders.io, a... Read More →


Friday April 6, 2018 1:50pm - 2:30pm

2:30pm

Coffee and snacks!
Snacks, coffee, beverages

Friday April 6, 2018 2:30pm - 3:00pm

3:00pm

.NET Serialization: Detecting and defending vulnerable endpoints
2016 was the year of Java deserialization apocalypse. Although Java Deserialization attacks were known for years, the publication of the Apache Commons Collection Remote Code Execution gadget (RCE from now on) finally brought this forgotten vulnerability to the spotlight and motivated the community to start finding and fixing these issues. .NET is next in line; formatters such as BinaryFormatter and NetDataContractSerializer are known to share similar mechanics which make them potentially vulnerable to similar RCE attacks. However, as we saw with Java before, the lack of RCE gadgets led some software vendors to not take this issue seriously. In this talk, we will analyze .NET serializers including third party JSON parsers for potential RCE vectors. We will provide real-world examples of vulnerable code and more importantly, we will review how these vulnerabilities were detected and fixed in each case.

Speakers
avatar for Alvaro Muñoz

Alvaro Muñoz

Principal Software Security Researcher, Microfocus Fortify
Buy your ticket today! | | Alvaro Muñoz (@pwntester) works as Principal Software Security Researcher with Microfocus Fortify. In this role, Muñoz can apply his passion for understanding software architecture and how security dependencies permeate systems. Before joining the re... Read More →


Friday April 6, 2018 3:00pm - 3:40pm

3:40pm

Quick Break
Friday April 6, 2018 3:40pm - 3:50pm
TBA

3:50pm

Starting an AppSec Program: An Honest Retrospective
This talk will cover the lessons learned from a 2-year journey starting an appsec program at a small-medium sized company that previously had no security program. This will be an honest look at what worked, what didn't work, as well as a follow-up analysis. There will be plenty of stories, common sense perspective, as well as discussion around goal-setting and execution. This will be the talk I wish I had two years ago when I was starting this adventure.

Speakers
avatar for John Melton

John Melton

Principal Member of Technical Staff, Oracle, NSBGU
Buy your ticket today! | | John is currently a principal member of technical staff at Oracle, NSBGU. His previous positions have been focused on secure software engineering, in the technology, financial and defense sectors. He also volunteers at OWASP, working primarily on the A... Read More →


Friday April 6, 2018 3:50pm - 4:30pm

4:30pm

Quick Break
Friday April 6, 2018 4:30pm - 4:40pm
TBA

4:40pm

Building Better Defenses: Engineering for the Human Factor
In this talk, Allison Miller will explore how today's defenders are evolving from a relatively simple model — isolation- and perimeter-based — into a more dynamic and flexible form that enables interconnectivity and data flows across independent environments, in real time and at scale. Upleveling our game in defense requires a more sophisticated approach to deflecting exploits and vulns, but also means designing for the "human factor": mapping out complex sets of incentives, designing for interdependencies, and inventing new approaches to thinking about security, risk, & trust. Allison will discuss ideas for the next wave of security engineers and practitioners, including lessons learned from applying big data plus ML/AI in developing real-time risk modeling & algorithmic defense, and how today's defenders are rewriting the playbooks on protecting the end-user zone.

Speakers
avatar for Allison Miller

Allison Miller

aka @selenakyle
Buy your ticket today!Allison Miller leads the engineering efforts for Bank of America's information security organization. With over 15 years of building teams and technology that protect people and platforms, Allison is known for her expertise in designing and implementing real... Read More →


Friday April 6, 2018 4:40pm - 5:20pm